Becoming resilient against risk: the new benchmark for best-practice security
System compromise can affect not only an organisation’s information but its people and reputation
22 March 2019 | 0
In the information security field, best practice now looks beyond an organisation’s ability to recover from incidents, to being resilient against them. So how do we define resilience, and what does it look like in practice? Information resilience is a state where an organisation or its clients can access their information securely and at exactly the moment they need it, with its integrity assured, regardless of the threats that exist.
When information systems are compromised, it affects not only an organisation’s information but its people and reputation. Ultimately, it’s the responsibility of an organisation – and specifically its senior executives – to ensure its information systems are available and resilient against an entire spectrum of issues and threats.
The key to achieving information resilience for an organisation is to realise the importance of the information assets it controls. How it does this will vary by the nature of the business, and different technologies are available to manage it, but the work should always be systematic and measurable.
Reaching this state does not need to be complicated, but it must involve the entire business from entry to senior level. Upper management need to be fully engaged in the process if it is to work; that starts by asking how resilient the organisation currently is.
Information resilience empowers organisations to safeguard their information – physical, digital and intellectual property – throughout its lifecycle from creation to destruction. It requires adopting information security-minded practices that enable stakeholders to create, store, access, use – and ultimately destroy – information securely and effectively.
In practice, this breaks down into four interconnecting sub-domains to address with strategies, plans and actions. These are: cybersecurity; information management and privacy; security awareness and training; compliance with requirements and regulations. When addressing these four domains, organisations need to employ operational best practices and good governance. They must be implemented in areas such as information security management, privacy management, third party supplier management, awareness, vulnerability management, data loss prevention (DLP), change management and review processes.
“The key to achieving information resilience for an organisation is to realise the importance of the information assets it controls. How it does this will vary by the nature of the business, and different technologies are available to manage it, but the work should always be systematic and measurable”
incident management exercises help organisations practice their procedures
outside of an actual event. They should also use repeatable risk-based
processes to understand potential risks from third-party suppliers.
that have achieved a state of information resilience are ready for the
unexpected: they can stand over their ability to proactively identify and or
pre-empt potential threats. They can also deal with unexpected issues before
they degrade the organisation’s ability to carry out their core business
are many business benefits in planning for resilience. Organisations depend on
having information to hand, either to support business decisions or to deliver
service to customers. By understanding their own business processes, they can
carry on business operations even after a serious incident. It ensures
longevity and sustainability of a business.
The BSI International Cyber Resilience Exchange 2019 will examine this area in depth. It takes place at the Convention Centre Dublin on Tuesday 26 March. The day-long conference will feature leading Irish and international security experts discussing global cybercrime trends, the latest insights and technology innovations to protect against cyberthreats. Planned themes for the event include: strategic insights on building information resilience; privacy and data protection after Brexit; the cybersecurity landscape and how IT professionals can mitigate the risks; cyber defence for the hybrid cloud; the human nature of cybersecurity and the proliferation of social engineering; and the impact of cybersecurity on resilience. For more information, visit www.bsicyberexchange.com
Stephen O’Boyle is global head of professional services for BSI Cybersecurity and Information Resilience